FirstBlood-#1166 — Open redirect on logout remained unpatched
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Hi!
I found out that the open redirect remained unfixed since the previous hackevent!
Possible Cause:
The issue remained unfixed from the previous version of firstblood. It didn't properly validate user input before as it only looked for if the redirect URL starts with a / char.
Impact:
I'm able to redirect any user from a trusted host to any other external host.
Steps to reproduce:
Proof of Concept URL: /drpanel/logout.php?ref=%2F%09%2Fexample%2ecom
1) Visit the PoC above (it does not really matter whether you're authenticated or not)
2) You'll notice that you got redirected to https://example.com
Mitigation:
I recommend using a strong regex pattern or implementing a whitelist-based approach.
Have a nice day!
Kind regards,
0xblackbird
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: %2F%09%2Fexample%2ecom
FirstBlood ID: 68
Vulnerability Type: Open Redirect
The open redirect on /drpanel/logout.php remains unfixed